CN1952885A - A computer system and method to check completely - Google Patents

A computer system and method to check completely Download PDF

Info

Publication number
CN1952885A
CN1952885A CN200510112892.5A CN200510112892A CN1952885A CN 1952885 A CN1952885 A CN 1952885A CN 200510112892 A CN200510112892 A CN 200510112892A CN 1952885 A CN1952885 A CN 1952885A
Authority
CN
China
Prior art keywords
operating system
file
unit
efi
trusted file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200510112892.5A
Other languages
Chinese (zh)
Other versions
CN100428157C (en
Inventor
张怡
周建
席振新
田宏萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CNB2005101128925A priority Critical patent/CN100428157C/en
Priority to PCT/CN2006/000401 priority patent/WO2007045133A1/en
Priority to US12/083,894 priority patent/US8468342B2/en
Publication of CN1952885A publication Critical patent/CN1952885A/en
Application granted granted Critical
Publication of CN100428157C publication Critical patent/CN100428157C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2284Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing by power-on test, e.g. power-on self test [POST]

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • Stored Programmes (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

This invention relates to a complete test computer system and its method, which comprises the following parts: operation mode unit with one complete test and start control to determine whether to start complete test and start mode through judging; EFI complete test unit to process complete test on EFI image codes composed of EFI complete test value to determine EFI image codes completeness by comparing test value with computation value after generation of EFI completeness; operation system completeness test unit and completeness management unit.

Description

A kind of computer system and method that carries out integrity detection
Technical field
The present invention relates to field of computer, particularly relate to a kind of computer system and method that before os starting, system is carried out integrity detection.
Background technology
At present computer networking technology extensive influence to the various aspects of individual and enterprise, demand to computer security also further improves, when people's desirable system started from the beginning, (operation system was OS) in the environment just can to guarantee to operate in reliable operating system.Can guarantee from the system start-up that safety is clean, the basis of carrying out virus prevention and preventing poisoning intrusion after being, if current operation system by virus infections unreliable running environment, then Zhi Hou any safe precaution measure all will be lost efficacy.Therefore, need realize a kind of computing system and method for promptly operating system being carried out integrity detection before os starting, guarantee that the operating system environment that starts is safe, running environment trusty is the target of people's pursuit all the time.
Usually, operating system is carried out the external system of integrity detection before this operating system operates, therefore, at present the settling mode of the problems referred to above is taked following method usually:
Utilize the method that dual mode operating system switches that operating system is carried out integrity detection: this computer system is installed two operating systems, promptly outside master operating system, an additional little operating system is installed again, in computing machine bottom firmware operation (Pre-boot) stage, selection enters this additional little operating system, carry out the integrity detection of master operating system therein, after detection finishes, zone bit and restarting systems are set, enter master operating system and operation automatically according to being provided with of zone bit.
The defective of this method is:
Defective 1: the user needs switching computer pattern constantly, uses extremely inconvenience, and additional simultaneously little operating system even through reducing, still need to occupy the system with more storage space, has increased the storage space cost of computing machine.
Defective 2: be chosen in the integrity detection of carrying out main operation in " additional operations system ", in fact do not satisfy the tightness of safe trust chain, in additional little operating system, carry out after main system operating system integrity detection finishes, must restart (Reboot) system, cause safe trust chain in fact to rupture, and the security attack at this " additional operations system " also can exist simultaneously, does not have other strategies to guarantee the reliability of additional operations system.
Defective 3: in the control flow of this scheme, zone bit must be set, the difference program need enter " additional operations system ", needs to enter master operating system after still detection finishes, and this has increased cost and complicacy for conceptual design.And zone bit is set also has security breaches, the disabled user can detect by phantom load position skip operations system integrity.Simultaneously, detecting finishes needs restarting systems, and user experience has much room for improvement.
This shows, only in the computing machine bottom firmware operation phase, be the work that Pre-boot stage complete operation system integrity and reliability detect, just can effectively guarantee the consistance and the continuity of safe trust chain, satisfy the computed security requirement of people.Simultaneously, detection finishes and can directly start the operating system, and need not to restart (Reset) process, removes the design of os starting zone bit from, and can obtain user experience preferably.But, it is very complicated to go up the above function of realization at traditional computer bottom firmware (being the BIOS aspect), at this moment because the function of traditional B IOS is limited, especially to the access interface deficiency of file system, be difficult to realize data analysis to the complex operations system file, therefore, on traditional B IOS, realize comparatively difficulty of above function, influenced further developing of its technology.。
Summary of the invention
The object of the present invention is to provide a kind of computer system and method that carries out integrity detection, it is based on EFI BIOS, and the integrality in the computing machine bottom firmware operation phase to operating system detects.
A kind of computer system of carrying out integrity detection that provides for achieving the above object, comprise the EFI storage unit, also comprise the operational mode unit, it comprises an integrity detection start-up control amount, after the basic initialization of PEI stage CPU, chipset, mainboard is finished, by judging this operational mode unit, whether decision starts the integrity detection start-up mode.
Described EFI storage unit comprises the EFI integrity detection unit, is used in the integrity detection start-up mode EFI code image being carried out integrity detection;
The EFI integrity detection unit comprises EFI integrity measurement value, be used for the EFI code image being carried out integrity detection in the EFI integrity detection unit, behind the EFI integrality calculated value that generates, compare with calculated value, determine the integrality of EFI code image according to metric.
The operational mode unit can be stored in the hardware cell.
FV RECOVERY unit in the described EFI storage unit can be read-only code unit.
Described computer system also includes EFI code image recovery unit, be used for the EFI code image being carried out integrity detection when the EFI integrity detection unit, when determining that the EFI code image is imperfect, call the EFI image recovery code in the described unit, recover the EFI code image.
Described computer system also comprises the operating system integrity detection unit, is used for executing before starting the operating system the operating system integrity detection;
Described operating system integrity detection unit comprises the trusted file detecting unit, be used for call operation system integrity detection method, execution is carried out integrity detection to each trusted file, judge relatively whether each trusted file code is distorted, generate the trusted file calculated value at each file successively, the operating system file integrality is detected;
Described computer system also comprises the trusted file metric, be used for the operating system integrity detection unit each trusted file is carried out integrity detection, judge relatively whether each trusted file code is distorted, after generating the trusted file calculated value at each file successively, compare with calculated value according to the trusted file metric, determine the integrality of single trusted file, and then the integrality of definite all trusted file of operating system.
Described operating system integrity detection unit also comprises disk parameter Data Detection unit, is used for the reading disk supplemental characteristic, and whether detect its disk parameter data complete, calls the trusted file detecting unit again and carries out single trusted file integrity detection.
Described computer system also comprises the disk parameter metric, be used for the disk that the operating system integrity detection unit stores operating system file and carry out the disk parameter integrity detection, after generating disk parameter integrality calculated value, described metric is compared with calculated value, determines the integrality of this operating system memory disk.
Computer system also comprises the disk parameter data recovery unit, is used for calling the disk parameter data in this unit, the force revert data in magnetic disk when to detect disk parameter be imperfect in disk parameter Data Detection unit.
Described computer system also comprises the trusted file tabulation, be used for after the disk parameter Data Detection is finished, search contrast operation system trusted file name, whether detect all trusted file all exists, guarantee the integrality of operating system trusted file, call the trusted file detecting unit then and carry out single trusted file integrity detection.
Computer system also comprises operating system trusted file recovery unit, when the operating system integrity detection unit compares by trusted file tabulation or trusted file metric the operating system trusted file, after carrying out integrity detection, determine that the operating system trusted file is imperfect or when being distorted, call the operating system trusted recovery file of preserving in advance, this trusted file of force revert, the operating system environment that regains one's integrity.
The trusted file metric, the disk parameter metric, the trusted file tabulation, EFI code image recovery unit, disk parameter data recovery unit and operating system trusted recovery file unit are stored in the EFI safe storage parts, described EFI safe storage parts are the local secure storage parts, perhaps external safe storage parts, when described external safe storage parts were the telesecurity memory unit, described operating system trusted recovery file storage was in the telesecurity memory unit;
Described computer system also comprises the simple network driver element, simple TCP Socket driver element, be used for when definite operating system file is imperfect, call the simple network driver element, simple TCP Socket driver element is connected to the telesecurity memory unit by network, and the operating system trusted recovery file that is stored in the telesecurity memory unit is downloaded to the local recovery operating system file.
Computer system also comprises the Integrity Management unit, when being used to be provided with the EFI startup, whether need complete detection start-up mode, and the credible associated documents of operating system that can allow the user to relate to according to the needs customization operations system of system operation, regenerate the disk parameter metric, the trusted file tabulation, the trusted file metric.
Described Integrity Management unit comprises:
Safe class is provided with the unit: the start-up mode that is used to be provided with described computer system;
Integrality preset unit: be used for customization operations system trusted file, regenerate the disk parameter metric, trusted file tabulation, trusted file metric and operating system trusted file, when system carries out integrity detection once more, carry out the operating system integrity detection according to new benchmark;
EFI integrality preset unit: when the user selected the EFI integrality to preset management, operation EFI integrality preset unit generated new EFI integrity measurement value.
The method that the present invention also provides a kind of computer system integrity to detect comprises the EFI integrity detection, promptly comprises the following steps:
Steps A: powering in system moves to the PEI stage, and after the basic initialization of CPU, chipset, mainboard was finished, according to the operational mode unit, whether decision opened the integrity detection start-up mode, otherwise directly opens computer system according to common start-up mode;
Step B: when starting EFI BIOS, call the EFI integrity detection unit and calculate EFI integrality calculated value with the integrity detection start-up mode;
Step C: judge relatively whether current EFI integrity measurement value and calculated value equate, if equate, illustrate that then the EFI code image is complete, carry out EFI BIOS and start subsequent process; If unequal, illustrate that the EFI code image is imperfect, carry out subsequent process;
Step D: when the EFI code image is imperfect, the EFI image file recovery the code whether user selects to call in the EFI image file recovery unit recovers, if then carry out the EFI code image and recover, finish the EFI integrity detection, carry out the EFI subsequent process; Otherwise it is out of service.
Described computer system integrity detection method also comprises the operating system integrity detection, promptly also comprises the following steps:
Step e: after the EFI integrity detection is finished, the flow process in operation DXE stage, DXE scheduling operation system integrity detecting unit is loaded into internal memory;
Step F: enter the BDS stage, if the operational mode unit is the integrity detection setting, the described operating system integrity detection unit of invocation step E then;
Step G: the trusted file detecting unit call operation system integrity detection method in the operating system integrity detection unit, execution is carried out integrity detection to each trusted file, judge relatively whether each trusted file code is distorted, generate the trusted file calculated value at each file successively, the operating system file integrality is detected;
Step H: compare with calculated value according to the trusted file metric, determine the integrality of single trusted file, and then the integrality of definite all trusted file of operating system.
Described operating system integrity detection can also comprise the following steps:
Step I: when the operating system trusted file was distorted, the prompting user can carry out the operating system trusted file and recover, if the user selects not recover, then stopped the load operation system, if after the user selects to recover, carry out next step;
Step J: whether the file that detects the local operation system is consistent with corresponding operating system trusted file, if all consistent, loads and the operation system; Otherwise, enter next step;
Step K: whether the prompting user recovers, if the user selects not recover, then stops the load operation system, if then the user selects to recover, then corresponding operating system trusted file is replicated and covers corresponding file, loads and the operation system.
Described step G can comprise the steps:
Step G1: the operating system integrity detection unit is at first called disk parameter Data Detection unit, reading disk parameter MBR, active partition, partition table information is calculated MBR, active partition by hashing algorithm, the calculated value of partition table information, and compare with the disk parameter metric, whether detect disk parameter complete, and just the trusted file detecting unit in the call operation system integrity detecting unit carries out integrity detection to single trusted file then.
Described step G1 can comprise the steps:
Step G11: when to detect disk parameter be imperfect in disk parameter Data Detection unit, call the disk parameter data in the disk parameter data recovery unit, the force revert data in magnetic disk.
Described step G can also comprise the following steps:
Step G2: after the disk parameter Data Detection is finished, carrying out the tabulation of operating system trusted file detects, search contrast operation system trusted file name, whether detect all trusted file all exists, guarantee the integrality of operating system trusted file, just call the trusted file detecting unit then and carry out single trusted file integrity detection.
Described step G2 can also comprise the following steps:
Step G21: when operating system trusted file tabulation detected the operating system trusted file and do not exist, force call operating system trusted file recovery unit recovered this operating system trusted file.
In addition, described operating system integrity detection still can comprise the following steps:
Step I: when operating system file is imperfect, the prompting user can carry out the operating system trusted file and recover, if the user selects not recover, then stop the load operation system, after if the user selects to recover, call the simple network driver element, simple TCP Socket driver element is connected to telecommunication network;
Step J: whether the file of detecting operation system is consistent with corresponding operating system trusted file, if all consistent, close bottom-layer network and connects, and loads and the operation system; Otherwise, enter next step;
Step K: whether the prompting user recovers, if the user selects not recover, then stop the load operation system, if then the user selects to recover, then the corresponding operating system trusted file on the remote server is replicated and is sent to this locality, cover corresponding file, close bottom-layer network then and connect, load and the operation system.
Described step G can comprise the steps:
Step G1: the operating system integrity detection unit is at first called disk parameter Data Detection unit, reading disk parameter MBR, active partition, partition table information is calculated MBR, active partition by hashing algorithm, the calculated value of partition table information, and compare with the disk parameter metric, whether detect disk parameter complete, and just the trusted file detecting unit in the call operation system integrity detecting unit carries out integrity detection to single trusted file then.
Described step G1 can comprise the steps:
Step G11: when to detect disk parameter be imperfect in disk parameter Data Detection unit, call the disk parameter data in this unit, the force revert data in magnetic disk.
Described step G can also comprise the following steps:
Step G2: after the disk parameter Data Detection is finished, carrying out the tabulation of operating system trusted file detects, search contrast operation system trusted file name, whether detect all trusted file all exists, guarantee the integrality of operating system trusted file, just call the trusted file detecting unit then and carry out single trusted file integrity detection.
Described step G2 can also comprise the following steps:
Step G21: when operating system trusted file tabulation detects the operating system trusted file and do not exist, the prompting user can carry out the operating system trusted file and recover, if the user selects not recover, then stop the load operation system, after if the user selects to recover, call the simple network driver element, simple TCP Socket driver element is connected to telecommunication network;
Step G22: whether corresponding operating system trusted file is consistent on the file that detects the local operation system and the remote server, if all consistent, close bottom-layer network and connects, and returns and carries out operating system trusted file tabulation inspection again; Otherwise, enter next step;
Step G23: whether the prompting user recovers, if the user selects not recover, then stop the load operation system, if then the user selects to recover, then the corresponding operating system trusted file on the remote server is replicated and is sent to this locality, cover corresponding file, close bottom-layer network then and connect, return and carry out operating system trusted file tabulation inspection again.
Described computer system integrity detection method also comprises the Integrity Management configuration, and it comprises the steps:
Step L: after the user has passed through the operating system integrity detection, select whether to enter operating system Integrity Management unit;
Step M:, then directly start the operating system if the user does not select to enter operating system Integrity Management unit; When the user selects to enter operating system Integrity Management unit, display operation system integrity administration interface, the user manages configuration to the operating system integrality;
Described step M comprises the following steps:
Step M1: when the user selected the safe class management, the security of operation grade was provided with the unit, and present computer system security grade is set;
Step M2: when user's selection operation system integrity file presets management, operation system integrity file preset unit, customization operating system trusted file.
Step M3: when the user selected the EFI code integrity to preset management, operation EFI integrality preset unit generated new EFI integrity measurement value.
Stating step M2 comprises the following steps:
Step M21) operation system integrity file preset unit, prompting is also selected to increase or is reduced the operating system trusted file by the user;
Step M22) the operating system trusted file of selecting according to the user generates the disk parameter metric, trusted file tabulation, trusted file metric and the operating system trusted file that relates to thereof;
Step M23) will generate the disk parameter metric, the trusted file tabulation, trusted file metric and the operating system trusted file that relates to thereof store the safe storage parts into;
Step M24) return system integrity administrative unit.
The invention has the beneficial effects as follows: the present invention has realized that a kind of computing machine bottom firmware operation (Pre-boot) stage at EFI BIOS carries out the system and method for operating system integrity detection.It has effectively solved the authentication question of the operating system integrality of the EFI BIOS aspect before the os starting, effectively guarantees the consistance and the tightness of safe trust chain, satisfies the computed security requirement of people.Effectively break through the limitation that detects in the enterprising line operate system integrity of traditional B IOS, solved the various defectives that exist of previous method.Advantages such as system and method support function of the present invention is powerful, and relatively the realization system and method for traditional B IOS is simple and practical relatively, dirigibility is stronger, support function is more powerful, applicability is stronger.
Description of drawings
Fig. 1 is a storage layout of the present invention synoptic diagram;
Fig. 2 is an EFI workflow diagram of the present invention;
Fig. 3 is an EFI image file integrity detection process flow diagram of the present invention;
Fig. 4 is an operating system integrity detection process flow diagram of the present invention;
Fig. 5 is an Integrity Management of the present invention interface synoptic diagram;
Fig. 6 is an embodiment of the invention integrity detection start-up course synoptic diagram.
Embodiment
1-6 further describes the present invention below in conjunction with accompanying drawing, and present embodiment has been described one under the EFI environment, uses technical scheme of the present invention to finish the computer system of integrity detection, and the performing step that cooperates this computer system integrity to detect.
At first, be to describe the present invention in detail, below explanation EFI technology earlier:
The present invention will be referred to Extensible Firmware Interface (EFI) technology, Extensible Firmware Interface (ExtensibleFirmware Interface, EFI) be occurred in 1999 continue to use the interface routine of new generation of Basic Input or Output System (BIOS) (BIOS) for many years in order to replacement, about the introduction of Extensible Firmware Interface, see UEFI forum for details and introduce http://www.UEFI.org about the EFI technology.EFI is between hardware device and operating system (such as Windows or Linux).Different with traditional BIOS, write in EFI use whole world higher level lanquage C language the most widely, it provides not only has the function of traditional B IOS but also the expanded function that is better than traditional B IOS is arranged, on design mechanism and framework, also be different from the realization of traditional B IOS, it is BIOS interface specification of future generation, this just means the development that has more slip-stick artist can participate in EFI, adds many more valuable functions.
The basic function that EFI possesses is:
The hardware platform initialization;
Support starts the operating system;
The platform management instrument of separating system.
The mode of operation of EFI can simply reduce: start-up system, standard firmware platform initialization, then carry out relative program from loading EFI driver storehouse and reaching, in EFI system start-up menu, choose the system that will enter and submit to and start guidance code to EFI, normal words will enter system, otherwise will end to start service and return EFI system start-up menu.Engineers can according to different need be for EFI increases new function, such as practical more in detail diagnostic function, self-configuration program, list contingent fault of system or the like.
Shown in Fig. 1-6, a kind of computer system of carrying out integrity detection of the present invention realizes that on EFIBIOS it comprises hardware and software, and hardware comprises mainboard, central processing unit (CPU), internal memory, hard disk and peripheral hardware.
Mainboard and CPU are respectively mainboard and the CPU that supports the EFI standard.
Shown in Fig. 1,6, the EFI storage unit 1 of computer system of the present invention (EFI Flash ROMLayout) comprises FV_RECOVERY unit 2, FV_NVRAM unit 3, FV_MAIN unit 4.
BIOS ROM storage unit 1 is the storer that is used for storing BIOS on the mainboard, and this Storage Unit Type can adopt diversified chip, as ROM, EPROM, EEPROM, FLASH ROM etc.
FV_RECOVERY unit 2, FV_NVRAM unit 3, FV_MAIN unit 4 are the code segment with difference in functionality or code volumes of dividing by memory address in EFI storage unit 1.
1) SEC of FV_RECOVERY unit 2 storage EFI and the operation code unit in PEI stage
SEC (Security) stage: its be used for powering in computer system (Power On) begins to start, before PEI stage (PEI foundation) beginning, whether the inspection processor is carried out the code of several leading row and can be carried out, simultaneously, it is carried out the very little interim memory block of initialization and uses for the operation code unit in PEI stage;
PEI (Pre-EFI Initialization) stage: it is used to call processor, chipset, mainboard initial configuration routine, carries out the preliminary initialization of system, but the minimized running environment that foundation can move for the DXE stage.Wherein, but the function of minimized running environment comprise: the path of navigation (boot path) of determining system; The initialization internal memory; Initialization comprises the storage file of the basic input and output of DXE partial code storage, can correctly visit to guarantee the file after the DXE file unit.
2) FV_NVRAM unit storage system variable
Some environmental system variablees that EFI needs all can read from this unit with variable format.
3) the FV_MAIN section comprises the operation code unit in DXE and BDS stage
DXE (the Driver Execution Environment) stage: it is used to finish the initialized groundwork of system platform, be responsible for comprehensive initialization CPU, chipset and system platform, and offering enough services that starts the operating system, assurance operating system can be moved in subsequent phase.In this document unit, system will load a large amount of EFI drivings and support to finish above-mentioned functions.
BDS (the Boot Device Selection) stage: it is used for selection operation system start-up equipment, and is ready for starting the operating system.
As shown in Figure 6, the present invention is an EFI computer system based on framework (framework), and the operational scheme of whole EFI experiences several Main Stage: the SEC stage from cold start-up (Code boot); The PEI stage; The DXE stage; The BDS stage.Be some additional phase of EFI thereafter, it has comprised in the startup and operational process of operating system, mutual and engagement process: TSL (Transient System Load) stage of EFI and operating system allows not to be operated as yet under the situation that system takes over fully in system, and the EFI that can call in the operating system loading process (Os loader) serves; RT (runtime) stage provides and operating system parallel running service (Runtime service), to support the demand of operating system; AL (Afterlife) stage means when operating system finishes to carry out, and reenters EFI, continues to take over the reason operation.
Computer system of the present invention is in common start-up mode (BootMode), increases a kind of start-up mode (BootMode), is integrity detection start-up mode (BOOT_IN_OS_INTEGRITY), in this computer system, comprising:
The operational mode unit: comprise an integrity detection start-up control amount, whether this controlled quentity controlled variable control starts the integrity detection start-up mode.
The operational mode unit can be stored in the hardware cell, for example: a hardware switch is set, this switch one end ground connection, the other end is bound up on the I/O control module of computer motherboard, interface between this hardware switch and the I/O control module can be: GPIO, serial ports, parallel port or USB mouth, but be not limited to this.From " opening " or the "off" state of the I/O address read switch at this hardware switch place, whether decision computer starting mode is the integrality start-up mode.
The operation code unit in described PEI stage comprises:
EFI integrity detection unit 5 is used at CPU (CPU INIT), chipset (Chipset INIT), and after mainboard (Board INIT) was finished preliminary initialization, operation EFI integrity detection unit 5 detected EFI code image integrality.
EFI integrity detection unit 5 comprises EFI integrity measurement value, be used for carrying out integrity detection in 5 pairs of EFI code image of EFI integrity detection unit, behind the EFI integrality calculated value that generates, compare with calculated value, determine the integrality of EFI code image according to metric.
EFI integrity detection unit 5 is stored in the FV_RECOVERY unit.
Preferably, the FV_RECOVERY unit 2 in the described computer system EFI storage unit 1 is read-only (ROM) unit.
Power in system, the operation SEC stage enters the PEI stage, CPU (CPU INIT), chipset (Chipset INIT), after mainboard (Board INIT) is finished preliminary initialization,, judge whether its start-up mode is the integrity detection start-up mode according to the operational mode unit, if then open the integrity detection start-up mode, otherwise open computer system according to normal start-up mode.
If what start is the integrity detection start-up mode, then move EFI integrity detection unit 5, the EFI code image is carried out integrity detection, the EFI integrality calculated value of generation is compared with calculated value according to metric, determines the integrality of EFI code image.
In computer system of the present invention, also include EFI code image (Image) recovery unit 8, after 5 pairs of EFI code image of EFI integrity detection unit are carried out integrity detection, the EFI integrality calculated value that generates, compare with calculated value according to metric, when determining that the EFI code image is imperfect, call the EFI code in the above-mentioned recovery unit, recover EFI mirror image (Image) code.
In EFI computer system of the present invention, also comprise the operating system integrity detection:
In the integrity detection start-up mode, after EFI integrity detection unit 5 is finished the EFI integrity detection, enter DXE (Driver execution environment), BDS (Boot Device Selection) during the stage, by operating system integrity detection unit 6 (module) detecting operation system integrity, and then start the operating system.
Operating system integrity detection unit 6, be used for executive operating system integrity detection before starting the operating system, it comprises disk parameter Data Detection unit, be used for the reading disk supplemental characteristic, start record (Master Boot Record as the disk master, MBR), active partition, partition table etc., whether and it is complete to detect these disk parameters, as calculating MBR, the calculated value of active partition, partition table by hashing algorithm (HASH algorithm), whether compare with the disk parameter metric, it is complete to detect its disk parameter data.
Described disk parameter metric 10 is set in advance in the computer system, and the calculated value that is used for this unit detecting behind disk parameter is compared, and judges whether disk parameter is complete.
Whether the computer system in the present embodiment also comprises operating system trusted file tabulation 11, is used to search contrast operation system trusted file name, detect all operating system trusted file and all exist.
The operating system trusted file is a series of a plurality of files that can not be distorted that keep the operating system integrality.When finding wherein that certain file is distorted or when imperfect, can accessing the correct file (operating system trusted recovery file) of preservation, recover then from the position of storage in advance.
Operating system integrity detection unit 6 also comprises the trusted file detecting unit, be used for call operation system integrity detection method, execution is carried out integrity detection to each trusted file, judge relatively whether each trusted file code is distorted, generate the trusted file calculated value at each file successively, the comparison of completeness value is used for the operating system file integrality is detected.
The operating system integrality detection method can be the whole bag of tricks of calculating operation system file code integrity, in the present embodiment hashing algorithm (HASH algorithm), if determine that an operating system n core document is the trusted file of operating system, in this n file (operating system trusted file), there is one to change, just mean that operating system is no longer complete, hashing algorithm calculates (hash) value for each file, hash value of each file logging, compare one by one, any one hash value of this n file changes, and all means the operating system destroy integrity.
Described operating system integrality detection method can be replaced, and its method can be very complicated, also can be very simple, therefore do not limit its actual implementation method herein.
Described computer system also comprises the trusted file metric, be used for the operating system integrity detection unit each trusted file is carried out integrity detection, judge relatively whether each trusted file code is distorted, after generating the trusted file calculated value at each file successively, compare with calculated value according to metric, determine the integrality of single trusted file, and then the integrality of definite all trusted file of operating system.
As shown in Figure 6, system is the executive operating system integrity detection before starting the operating system, be after the EFI integrity detection, the DXE stage, carry out guide service (Boot Services), operation service (RuntimeService), enter DXE scheduling (DXE Dispatcher), during this, with loading equipemtn (Devices), bus (Bus) or serial equipment drive (Serial driver), comprise that the operating system integrity detection drives, and enters BDS after the stage, if start-up mode is an operating system integrity detection pattern, then with call operation system integrity detecting unit 6, executive operating system integrity detection.
Operating system integrity detection unit 6 is at first called disk parameter Data Detection unit, reading disk parameter MBR, active partition, partition table information, calculate MBR, active partition, the calculated value of partition table information by hashing algorithm, and compare with disk parameter metric 10, whether detect disk parameter complete;
Then, carry out operating system trusted file tabulation 11 and detect, check whether trusted file all exists;
At last, trusted file detecting unit call operation system integrity detection method, execution is carried out integrity detection to each trusted file, judge relatively whether each trusted file code is distorted, generate the trusted file calculated value at each file successively, the operating system file integrality is detected; Compare with calculated value according to trusted file metric 12, determine the integrality of single trusted file, and then the integrality of definite all trusted file of operating system.
Code in the operating system integrity detection unit all is stored in the EFI code unit with drive form, and EFIBIOS is in start-up course, with the form call operation system integrity detecting unit that drives.
In the integrity detection start-up mode of the present invention, at DXE, the BDS stage, the DXE stage operation code unit pack that comprises contains: simple network driver element (Simple Network Driver), simple TCPSocket driver element (Simple Tcp Socket Driver), these unit are called in the stage to cooperate at BDS and support operating system integrity detection function.
In computer system of the present invention, also comprise:
Disk parameter data recovery unit 7: the disk parameter in this unit includes but not limited to MBR, active partition, partition table etc., when to detect disk parameter be imperfect in disk parameter Data Detection unit, call the disk parameter data in this unit, the force revert data in magnetic disk.
Operating system trusted file recovery unit 9: the operating system trusted file in this unit can include but not limited to: operating system nucleus file, crucial trust data file etc.Can customizing of operating system trusted file according to the needs of system's operation and user's needs.After the operating system integrity detection unit detects the operating system file integrality, compare with calculated value according to metric, when determining that operating system file is imperfect, call the operating system trusted file in the described operating system trusted file recovery unit 9, the recovery operation system file.
Described trusted file metric 12, disk parameter metric 10, trusted file tabulation 11, EFI code image (Image) recovery unit 8, disk parameter data recovery unit 7 and operating system trusted file recovery unit 9 can be stored in the EFI safe storage parts.
EFI safe storage parts are the local secure storage parts; perhaps external safe storage parts; it can be any any safe storage parts that connect by system bus, USB, wireless network, cable network; comprise hard disk with safety protection function; as has the hard disk of HPA (Host Protected Area); or have the flash storer of access control function, or have the high capacity USB safe storage parts of access control function by USB interface with connecting.
Preferably, described external safe storage parts are the telesecurity memory unit, and operating system trusted file recovery unit 9 is stored in the telesecurity memory unit; Trusted file metric 12, disk parameter metric 10, trusted file tabulation 11, EFI code image (Image) recovery unit 8, disk parameter data recovery unit 7 is stored in the local secure storage parts.When definite operating system file is imperfect, call the simple network driver element, simple TCP Socket driver element is connected to the telesecurity memory unit by network, and the operating system trusted file of downloading in this unit arrives the local recovery operating system file.
Because EFI directly supports the file read-write function, files such as described EFI image file (Image) and operating system trusted file all can be stored in the safe storage parts with file format, utilize EFI file access interface to conduct interviews, need increase a series of file system access interface when relatively on traditional B IOS, realizing, its implementation is more simple, favorable expandability.
In the computer system of the present invention, can also comprise the Integrity Management unit, its function is when the EFIBIOS startup is set, whether need complete detection start-up mode, and can allow the user according to the credible associated documents of operating system that the needs customization operations system of system operation relates to, regenerate operating system integrity measurement value.The user can realize that integrity detection is provided with management function flexibly in this administrative unit.This administrative unit comprises the following units:
Safe class is provided with the unit: when the user is provided with present BIOS safe class for " high safety grade ", then in EFI BIOS start-up course, necessary complete detection start-up mode is by EFI integrity detection and operating system integrity detection overall process ability load operating operating system; If be set to the lower security grade, mean that then level of security is not high, the user does not need the complete detection.
Operating system integrality file preset unit: the user customizes the credible associated documents that it relates to according to the needs of system's operation and user's needs, the user can be from the newly-generated generation disk parameter of a little unit weighs metric 10, trusted file tabulation 11, trusted file metric 12, and the credible associated documents that relate to, when system carries out integrity detection once more, will carry out the operating system integrity detection according to newly-generated benchmark.
EFI integrality preset unit: when the user selected the EFI integrality to preset management, operation EFI integrality preset unit generated new EFI integrity measurement value.
Preferably, system's setting has only the power user just can enter the Integrity Management unit, relates to safe class setting and file preparatory function.
The present invention is memory disk parameter metric 10 in the safe storage parts in advance, trusted file tabulation 11, trusted file metric 12, disk parameter data recovery unit 7, EFI image recovery code (Image) unit 8, operating system trusted file recovery unit 9, expansion realizes carrying out the EFI system architecture of integrity detection, it is in EFI BIOS start-up course, carry out the EFI integrity detection earlier, carry out the operating system integrity detection of computing machine bottom firmware operation phase then, after the operating system that affirmation will start, just allow guiding and load this operating system.The present invention has guaranteed that fully the reliability before the os starting detects, do not rely on operating system, only depend on the detection chain of EFI BIOS, guaranteed the safety of operating system and credible, thereby strict guarantee the credible wilfulness of operating system environment, satisfy application demand, and realize that cost is low, the application interface availability is strong.
Describe the method step that computer system integrity detects that carries out of the present invention in detail below in conjunction with described computer system:
Shown in Fig. 2-6, computer system of the present invention, be in the PEI stage, after the basic initialization of CPU, chipset, mainboard, carry out the EFI integrity detection, the operating system integrity detection, and can be in the integrity detection process, when finding that EFI file (Image) code or operating system file are imperfect, select whether to carry out file and recover, can also carry out operating system integrity detection administration configuration.
The EFI integrity detection comprises the steps:
Steps A: power in system, the operation SEC stage, enter into the PEI stage, CPU initialization (CPUINIT), chipset initialization (Chipset INIT) is after mainboard initialization (Board INIT) is finished, operation operational mode unit, judge that integrity detection start-up control amount is a true or false, if for very then open the integrity detection start-up mode, otherwise directly according to common start-up mode unlatching computer system;
Step B: when starting EFI BIOS, call EFI integrity detection unit 5 and calculate EFI integrality calculated value with hashing algorithm (hash algorithm) with the integrity detection start-up mode;
Step C: judge relatively whether current EFI integrity measurement value and calculated value equate, if equate, illustrate that then the EFI code image is complete, carry out EFI and start subsequent process; If unequal, illustrate that the EFI code image is imperfect;
Step D: when the EFI code image is imperfect, the EFI image file recovery the code whether user selects to call in the EFI code image recovery unit 9 recovers, if then carry out the EFI code image and recover, finish the EFI integrity detection, carry out the EFI subsequent process; Otherwise it is out of service.
After the EFI integrity detection is finished, system's executive operating system integrity detection:
Step e: after the EFI integrity detection is finished, the flow process in operation DXE stage, DXE scheduling operation system integrity detecting unit 6 is loaded into internal memory;
Step F: enter the BDS stage, if the operational mode unit is the integrity detection setting, the described operating system integrity detection unit 6 of invocation step E then;
Step G: the trusted file detecting unit call operation system integrity detection method in the operating system integrity detection unit 6, execution is carried out integrity detection to each trusted file, judge relatively whether each trusted file code is distorted, generate the trusted file calculated value at each file successively, the operating system file integrality is detected;
Step G also comprises the following steps:
Step G1: operating system integrity detection unit 6 is at first called disk parameter Data Detection unit, reading disk parameter MBR, active partition, partition table information, calculate MBR, active partition, the calculated value of partition table information by hashing algorithm, and compare with disk parameter metric 10, whether detect disk parameter complete;
Step G2: after the disk parameter Data Detection is finished, carrying out operating system trusted file tabulation 11 detects, search contrast operation system trusted file name, whether detect all trusted file all exists, guarantee the integrality of operating system trusted file, just call the trusted file detecting unit then and carry out single trusted file integrity detection.
Step G1 also comprises the following steps:
Step G11: when to detect disk parameter be imperfect in disk parameter Data Detection unit, call the disk parameter data in the disk parameter data recovery unit 7, the force revert data in magnetic disk.
Step G2 also comprises the following steps:
Step G21: when operating system trusted file tabulation 11 detects the operating system trusted file and do not exist, the prompting user can carry out the operating system trusted file and recover, if the user selects not recover, then stop the load operation system, after if the user selects to recover, call the simple network driver element, simple TCP Socket driver element is connected to telecommunication network;
Step G22: whether corresponding operating system trusted file is consistent on the file that detects the local operation system and the remote server, if all consistent, close bottom-layer network and connects, and returns and carries out operating system trusted file tabulation 11 inspections again; Otherwise, enter next step;
Step G23: whether the prompting user recovers, if the user selects not recover, then stop the load operation system, if then the user selects to recover, then the corresponding operating system trusted file on the remote server is replicated and is sent to this locality, cover corresponding file, close bottom-layer network then and connect, return and carry out operating system trusted file tabulation 11 inspections again.
Step H: compare with calculated value according to the trusted file metric, determine the integrality of single trusted file, and then the integrality of definite all trusted file of operating system;
Step I: when operating system file is imperfect, the prompting user can carry out the operating system trusted file and recover, if the user selects not recover, then stop the load operation system, after if the user selects to recover, call the simple network driver element, simple TCP Socket driver element is connected to telecommunication network;
Step J: whether corresponding operating system trusted file is consistent on the file that detects the local operation system and the remote server, if all consistent, close bottom-layer network and connects, and loads also operation system; Otherwise, enter next step;
Step K: whether the prompting user recovers, if the user selects not recover, then stop the load operation system, if then the user selects to recover, then the corresponding operating system trusted file on the remote server is replicated and is sent to this locality, cover corresponding file, close bottom-layer network then and connect, load and the operation system.
, can carry out the security of system configuration and be provided with by after the operating system integrity detection the user, comprise the steps:
Step L: after the user has passed through the operating system integrity detection, can select whether to enter operating system Integrity Management unit by pressing special function keys;
Step M:, then directly start the operating system if the user does not select to enter operating system Integrity Management unit; When the user selects to enter operating system Integrity Management unit, display operation system integrity administration interface, the user manages configuration to the operating system integrality;
Step M1: when the user selects the safe class management, the security of operation grade is provided with the unit, in this administrative unit, realize operating system Integrity Management function flexibly, can allow the user that present computer system security grade is set, if be set to high safety grade, then in EFI BIOS start-up course, must could load and the operation system by the integrity detection overall process; If be set to the lower security grade, then the undo system integrity detects.
Step M2: when user's selection operation system integrity file preset management, operation system integrity file preset unit allowed the user to customize the operating system trusted file that it relates to according to the needs of system's operation and user's needs:
Step M21: operation system integrity file preset unit, prompting is also selected to increase or is reduced the operating system trusted file by the user;
Step M22: the operating system trusted file according to the user selects generates the disk parameter metric, trusted file tabulation, trusted file metric and the operating system trusted file that relates to thereof;
Step M23: will generate the disk parameter metric, the trusted file tabulation, trusted file metric and the operating system trusted file that relates to thereof store the safe storage parts into;
Step M24: return system integrity administrative unit.
Step M3: when the user selected the EFI code integrity to preset management, operation EFI integrality preset unit generated new EFI integrity measurement value.
The present invention has realized that a kind of computing machine bottom firmware operation phase (Pre-boot stage) that starts at EFI BIOS carries out the computer system and the method for integrity detection.It has effectively solved the integrated authentication problem of the BIOS aspect before the os starting, effectively guarantees the consistance and the tightness of safe trust chain, satisfies aforesaid background technology demand fully; It finishes and can directly start the operating system in integrity detection, need not to restart (Reset) process, removes the design of os starting zone bit from, and can obtain user experience preferably, effectively solves the various defectives that exist of previous method; Simultaneously, its support function is also very powerful, and relatively the implementation method of traditional B IOS is more simple, better effects if; And support to be stored in the operating system trusted file is stored in the telesecurity memory unit, realize that the remote network operation system integrity detects recovery, but further expand the usable range of this method to have big technical advantage than traditional B IOS.Further, it provides the better graphical user's safety management of friendly configuration interface, have better ease for use and dirigibility: utilize the graphical base interface of EFI, and cooperation expansion implementation method, make the user use unified graphical interfaces complete operation system integrity administration configuration function, technical scheme is easy-to-use more flexibly.
Present embodiment is in order to understand the detailed description that the present invention carries out better; and be not the qualification of scope that the present invention is protected; therefore; those of ordinary skills do not break away under the purport situation of the present invention; without creative work to this bright change of making, in protection scope of the present invention.

Claims (30)

1. the computer system that can carry out integrity detection comprises EFI storage unit (1), it is characterized in that, also comprises:
The operational mode unit, it comprises an integrity detection start-up control amount, after the basic initialization of PEI stage CPU, chipset, mainboard was finished, by judging this operational mode unit, whether decision started the integrity detection start-up mode;
Described EFI storage unit comprises:
EFI integrity detection unit (5) is used in the integrity detection start-up mode EFI code image being carried out integrity detection;
EFI integrity detection unit (5) comprises EFI integrity measurement value, be used for the EFI code image being carried out integrity detection in the EFI integrity detection unit, behind the EFI integrality calculated value that generates, compare with calculated value, determine the integrality of EFI code image according to metric.
2. computer system according to claim 1 is characterized in that the operational mode unit is stored in the hardware cell.
3. computer system according to claim 1 is characterized in that, the FV RECOVERY unit (2) in the described EFI storage unit is read-only code unit.
4. computer system according to claim 1, it is characterized in that, also include EFI code image recovery unit (8), be used for the EFI code image being carried out integrity detection when EFI integrity detection unit (5), when determining that the EFI code image is imperfect, call the EFI image recovery code in the described unit (8), recover the EFI code image.
5. computer system according to claim 4 is characterized in that, also comprises operating system integrity detection unit (6), is used for executing before starting the operating system the operating system integrity detection;
Described operating system integrity detection unit (6) comprises the trusted file detecting unit, be used for call operation system integrity detection method, execution is carried out integrity detection to each trusted file, judge relatively whether each trusted file code is distorted, generate the trusted file calculated value at each file successively, the operating system file integrality is detected;
Described computer system also comprises trusted file metric (12), be used for operating system integrity detection unit (6) each trusted file is carried out integrity detection, judge relatively whether each trusted file code is distorted, after generating the trusted file calculated value at each file successively, compare with calculated value according to metric, determine the integrality of single trusted file, and then the integrality of definite all trusted file of operating system.
6. computer system according to claim 5, it is characterized in that, described operating system integrity detection unit (6) also comprises disk parameter Data Detection unit, be used for the reading disk supplemental characteristic, whether complete, call the trusted file detecting unit again and carry out single trusted file integrity detection if detecting its disk parameter data.
Described computer system also comprises disk parameter metric (10), be used for the disk that operating system integrity detection unit (6) stores operating system file and carry out the disk parameter integrity detection, after generating disk parameter integrality calculated value, described metric is compared with calculated value, determines the integrality of this operating system memory disk parameter.
7. computer system according to claim 6, it is characterized in that, also comprise disk parameter data recovery unit (7), be used for when to detect disk parameter be imperfect in disk parameter Data Detection unit, call the disk parameter data in this unit, the force revert data in magnetic disk.
8. computer system according to claim 6, it is characterized in that, describedly also comprise trusted file tabulation (11), be used for after the disk parameter Data Detection is finished, search contrast operation system trusted file name, detect all trusted file and whether exist, guarantee the integrality of operating system trusted file, call the trusted file detecting unit then and carry out single trusted file integrity detection.
9. computer system according to claim 8, it is characterized in that, also comprise operating system trusted file recovery unit (9), when operating system integrity detection unit (6) compares by trusted file tabulation (11) or trusted file metric (12) the operating system trusted file, after carrying out integrity detection, determine that the operating system trusted file is imperfect or when being distorted, call the operating system trusted recovery file of preserving in advance, this trusted file of force revert, the operating system environment that regains one's integrity.
10. computer system according to claim 9, it is characterized in that, described trusted file metric (12), disk parameter metric (10), trusted file tabulation (11), EFI code image recovery unit (8), disk parameter data recovery unit (7) and operating system trusted recovery file unit (9) are stored in the EFI safe storage parts.
11. computer system according to claim 10 is characterized in that, described EFI safe storage parts are the local secure storage parts, perhaps external safe storage parts.
12. computer system according to claim 11 is characterized in that, when described external safe storage parts were the telesecurity memory unit, described operating system trusted recovery file unit (9) was stored in the telesecurity memory unit;
Described computer system also comprises the simple network driver element, simple TCP Socket driver element, be used for when definite operating system file is imperfect, call the simple network driver element, simple TCP Socket driver element is connected to the telesecurity memory unit by network, and the operating system trusted recovery file that is stored in the telesecurity memory unit is downloaded to the local recovery operating system file.
13. computer system according to claim 5, it is characterized in that, also comprise the Integrity Management unit, when being used to be provided with the EFI startup, whether need complete detection start-up mode, and can allow the user, regenerate disk parameter metric (10) according to the credible associated documents of operating system that the needs customization operations system of system operation relates to, trusted file tabulation (11), trusted file metric (12).
14. computer system according to claim 13 is characterized in that, described Integrity Management unit comprises:
Safe class is provided with the unit: the start-up mode that is used to be provided with described computer system;
Integrality preset unit: be used for customization operations system trusted file, regenerate disk parameter metric (10), trusted file tabulation (11), trusted file metric (12) and operating system trusted file, when system carries out integrity detection once more, carry out the operating system integrity detection according to new benchmark;
EFI integrality preset unit: when the user selected the EFI integrality to preset management, operation EFI integrality preset unit generated new EFI integrity measurement value.
15. the method that computer system integrity detects is characterized in that, comprises the EFI integrity detection, promptly comprises the following steps:
Steps A: powering in system moves to the PEI stage, and after the basic initialization of CPU, chipset, mainboard was finished, according to the operational mode unit, whether decision opened the integrity detection start-up mode, otherwise directly opens computer system according to common start-up mode;
Step B: when starting EFI BIOS, call EFI integrity detection unit (5) and calculate EFI integrality calculated value with the integrity detection start-up mode;
Step C: judge relatively whether current EFI integrity measurement value and calculated value equate, if equate, illustrate that then the EFI code image is complete, carry out EFI BIOS and start subsequent process; If unequal, illustrate that the EFI code image is imperfect, carry out subsequent process.
16. computer system integrity detection method according to claim 15 is characterized in that, described EFI integrity detection also comprises the steps:
Step D: when the EFI code image is imperfect, the EFI image recovery the code whether user selects to call in the EFI image file recovery unit (8) recovers, if then carry out the EFI code image and recover, finish the EFI integrity detection, carry out EFI BIOS subsequent process; Otherwise it is out of service.
17., it is characterized in that according to claim 15 or 16 described computer system integrity detection methods, also comprise the operating system integrity detection, promptly also comprise the following steps:
Step e: after the EFI integrity detection is finished, the flow process in operation DXE stage, DXE scheduling operation system integrity detecting unit (6) is loaded into internal memory;
Step F: enter the BDS stage, if the operational mode unit is the integrity detection setting, the described operating system integrity detection unit of invocation step E (6) then;
Step G: the trusted file detecting unit call operation system integrity detection method in the operating system integrity detection unit (6), execution is carried out integrity detection to each trusted file, judge relatively whether each trusted file code is distorted, generate the trusted file calculated value at each file successively, the operating system file integrality is detected;
Step H: compare with calculated value according to trusted file metric (12), determine the integrality of single trusted file, and then the integrality of definite all trusted file of operating system.
18. computer system integrity detection method according to claim 17 is characterized in that, described operating system integrity detection also comprises the following steps:
Step I: when the operating system trusted file was distorted, the prompting user can carry out the operating system trusted file and recover, if the user selects not recover, then stopped the load operation system, if after the user selects to recover, carry out next step;
Step J: whether the file of detecting operation system is consistent with corresponding operating system trusted file, if all consistent, loads and the operation system; Otherwise, enter next step;
Step K: whether the prompting user recovers, if the user selects not recover, then stops the load operation system, if then the user selects to recover, then corresponding operating system trusted file all is replicated and covers corresponding file, loads and the operation system.
19. integrality detection method according to claim 18 is characterized in that, described step G comprises the steps:
Step G1: operating system integrity detection unit (6) is at first called disk parameter Data Detection unit, reading disk parameter MBR, active partition, partition table information is calculated MBR, active partition by hashing algorithm, the calculated value of partition table information, and compare with disk parameter metric (10), whether detect disk parameter complete, and just the trusted file detecting unit in the call operation system integrity detecting unit (6) carries out integrity detection to single trusted file then.
20. computer system integrity detection method according to claim 19 is characterized in that described step G1 comprises the steps:
Step G11: when to detect disk parameter be imperfect in disk parameter Data Detection unit, call the disk parameter data in the disk parameter recovery unit (7), the force revert data in magnetic disk.
21. computer system integrity detection method according to claim 20 is characterized in that described step G also comprises the following steps:
Step G2: after the disk parameter Data Detection is finished, carrying out operating system trusted file tabulation (11) detects, search contrast operation system trusted file name, whether detect all trusted file all exists, guarantee the integrality of operating system trusted file, just call the trusted file detecting unit then and carry out single trusted file integrity detection.
22. computer system integrity detection method according to claim 21 is characterized in that described step G2 also comprises the following steps:
Step G21: when operating system trusted file tabulation (11) detected the operating system trusted file and do not exist, force call operating system trusted file recovery unit (9) recovered this operating system trusted file.
23. computer system integrity detection method according to claim 17 is characterized in that, described operating system integrity detection also comprises the following steps:
Step I: when operating system file is imperfect, the prompting user can carry out the operating system trusted file and recover, if the user selects not recover, then stop the load operation system, after if the user selects to recover, call the simple network driver element, simple TCP Socket driver element is connected to telecommunication network;
Step J: whether corresponding operating system trusted file is consistent on the file that detects the local operation system and the remote server, if all consistent, close bottom-layer network and connects, and loads also operation system; Otherwise, enter next step;
Step K: whether the prompting user recovers, if the user selects not recover, then stop the load operation system, if then the user selects to recover, then the corresponding operating system trusted file on the remote server is replicated and is sent to this locality, cover corresponding file, close bottom-layer network then and connect, load and the operation system.
24. integrality detection method according to claim 23 is characterized in that, described step G comprises the steps:
Step G1: operating system integrity detection unit (6) is at first called disk parameter Data Detection unit, reading disk parameter MBR, active partition, partition table information is calculated MBR, active partition by hashing algorithm, the calculated value of partition table information, and compare with disk parameter metric (10), whether detect disk parameter complete, and just the trusted file detecting unit in the call operation system integrity detecting unit (6) carries out integrity detection to single trusted file then.
25. computer system integrity detection method according to claim 24 is characterized in that described step G1 comprises the steps:
Step G11: when to detect disk parameter be imperfect in disk parameter Data Detection unit, call the disk parameter data in this unit, the force revert data in magnetic disk.
26. computer system integrity detection method according to claim 25 is characterized in that described step G also comprises the following steps:
Step G2: after the disk parameter Data Detection is finished, carrying out operating system trusted file tabulation (11) detects, search contrast operation system trusted file name, whether detect all trusted file all exists, guarantee the integrality of operating system trusted file, just call trusted file detecting unit (6) then and carry out single trusted file integrity detection.
27. computer system integrity detection method according to claim 26 is characterized in that described step G2 also comprises the following steps:
Step G21: when operating system trusted file tabulation detects the operating system trusted file and do not exist, the prompting user can carry out the operating system trusted file and recover, if the user selects not recover, then stop the load operation system, after if the user selects to recover, call the simple network driver element, simple TCP Socket driver element is connected to telecommunication network;
Step G22: whether corresponding operating system trusted file is consistent on the file that detects the local operation system and the remote server, if all consistent, close bottom-layer network and connects, and returns and carries out operating system trusted file tabulation (11) inspection again; Otherwise, enter next step;
Step G23: whether the prompting user recovers, if the user selects not recover, then stop the load operation system, if then the user selects to recover, then the corresponding operating system trusted file on the remote server is replicated and is sent to this locality, cover corresponding file, close bottom-layer network then and connect, return and carry out operating system trusted file tabulation (11) inspection again.
28. computer system integrity detection method according to claim 17 is characterized in that, also comprises the Integrity Management configuration, it comprises the steps:
Step L: after the user has passed through the operating system integrity detection, select whether to enter operating system Integrity Management unit;
Step M:, then directly start the operating system if the user does not select to enter operating system Integrity Management unit; When the user selects to enter operating system Integrity Management unit, display operation system integrity administration interface, the user manages configuration to the operating system integrality.
29. computer system integrity detection method according to claim 28 is characterized in that described step M comprises the following steps:
Step M1: when the user selected the safe class management, the security of operation grade was provided with the unit, and present computer system security grade is set;
Step M2: when user's selection operation system integrity file presets management, operation system integrity file preset unit, customization operating system trusted file;
Step M3: when the user selected the EFI code integrity to preset management, operation EFI integrality preset unit generated new EFI integrity measurement value.
30. operating system integrality detection method according to claim 29 is characterized in that described step M2 comprises the following steps:
Step M21: operation system integrity file preset unit, prompting is also selected to increase or is reduced the operating system trusted file by the user;
Step M22: the operating system trusted file according to the user selects generates disk parameter metric (10), trusted file tabulation (11), trusted file metric (12) and the operating system trusted file that relates to thereof;
Step M23: will generate disk parameter metric (10), trusted file tabulation (11), trusted file metric (12) and the operating system trusted file that relates to thereof store EFI safe storage parts into;
Step M24: return system integrity administrative unit.
CNB2005101128925A 2005-10-19 2005-10-19 A computer system and method to check completely Expired - Fee Related CN100428157C (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CNB2005101128925A CN100428157C (en) 2005-10-19 2005-10-19 A computer system and method to check completely
PCT/CN2006/000401 WO2007045133A1 (en) 2005-10-19 2006-03-15 A computer system and a method which can perform integrity checking
US12/083,894 US8468342B2 (en) 2005-10-19 2006-03-15 Computer system and method for performing integrity detection on the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005101128925A CN100428157C (en) 2005-10-19 2005-10-19 A computer system and method to check completely

Publications (2)

Publication Number Publication Date
CN1952885A true CN1952885A (en) 2007-04-25
CN100428157C CN100428157C (en) 2008-10-22

Family

ID=37962182

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005101128925A Expired - Fee Related CN100428157C (en) 2005-10-19 2005-10-19 A computer system and method to check completely

Country Status (3)

Country Link
US (1) US8468342B2 (en)
CN (1) CN100428157C (en)
WO (1) WO2007045133A1 (en)

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101882189A (en) * 2010-06-30 2010-11-10 华南理工大学 Embedded-type system for ensuring completeness of program and realization method thereof
CN102819705A (en) * 2012-07-26 2012-12-12 郑州信大捷安信息技术股份有限公司 System and method for realizing system file integrity verification in master boot sector
CN103093141A (en) * 2013-01-17 2013-05-08 北京华大信安科技有限公司 Download method, guidance method and device of safe main control chip Coolcloud system (COS)
CN103294502A (en) * 2012-03-05 2013-09-11 联想(北京)有限公司 Method for obtaining loading path of operating system, and electronic equipment
CN103294498A (en) * 2012-03-05 2013-09-11 联想(北京)有限公司 Information processing method and electronic equipment
CN103294499A (en) * 2012-03-05 2013-09-11 联想(北京)有限公司 Information processing method and electronic equipment
CN103823732A (en) * 2014-02-27 2014-05-28 山东超越数控电子有限公司 Method for monitoring file integrity under LINUX operation system
CN104573417A (en) * 2014-09-10 2015-04-29 中电科技(北京)有限公司 UEFI (Unified Extensible Firmware Interface)-based software whole-process protection system and UEFI-based software whole-process protection method
CN104573500A (en) * 2014-09-10 2015-04-29 中电科技(北京)有限公司 UEFI (Unified Extensible Firmware Interface)-based software real-time protection system and UEFI-based software real-time protection method
CN104573501A (en) * 2014-09-10 2015-04-29 中电科技(北京)有限公司 Safety software protection interface device and method on basis of UEFI (Unified Extensible Firmware Interface)
CN104573499A (en) * 2014-09-10 2015-04-29 中电科技(北京)有限公司 Executable program file protection system and method on basis of UEFI (Unified Extensible Firmware Interface)
CN104573491A (en) * 2014-09-10 2015-04-29 中电科技(北京)有限公司 UEFI (Unified Extensible Firmware Interface)-based terminal management system and UEFI-based terminal management method
CN104881345A (en) * 2015-05-25 2015-09-02 上海兆芯集成电路有限公司 Central processing unit and computer power-on self-test method
CN104969233A (en) * 2012-12-31 2015-10-07 阿尔卡特朗讯公司 Alarm condition processing in network element
CN105354497A (en) * 2015-10-26 2016-02-24 浪潮电子信息产业股份有限公司 Computer protection apparatus and method
CN105740729A (en) * 2016-01-29 2016-07-06 浪潮电子信息产业股份有限公司 Method for checking credibility of system service program
CN105893833A (en) * 2016-03-31 2016-08-24 山东超越数控电子有限公司 Hardware interface used for firmware safety management
CN106293620A (en) * 2016-08-09 2017-01-04 浪潮电子信息产业股份有限公司 Method for detecting parameters in Flash Rom by intel platform
CN107015878A (en) * 2017-03-24 2017-08-04 联想(北京)有限公司 For system for computer restorative procedure and system
CN107066345A (en) * 2015-12-22 2017-08-18 中电科技(北京)有限公司 A kind of data recovery and backup method based on hard disk gap
CN107301348A (en) * 2017-05-19 2017-10-27 深圳市同泰怡信息技术有限公司 One kind detection rational algorithm of MBR contents
CN107392032A (en) * 2017-08-07 2017-11-24 浪潮(北京)电子信息产业有限公司 A kind of method and system credible checking BIOS
CN107657170A (en) * 2016-07-25 2018-02-02 北京计算机技术及应用研究所 The Trusted Loading for supporting intelligently to repair starts control system and method
CN110543769A (en) * 2019-08-29 2019-12-06 武汉大学 Trusted starting method based on encrypted TF card
CN110929268A (en) * 2020-02-03 2020-03-27 中软信息系统工程有限公司 Safe operation method, device and storage medium
CN111124515A (en) * 2019-12-20 2020-05-08 苏州浪潮智能科技有限公司 Cloud-based minimized BIOS (basic input output System) implementation method and system
CN114996226A (en) * 2021-11-05 2022-09-02 荣耀终端有限公司 Icon detection method, electronic device, readable storage medium, and program product

Families Citing this family (152)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9106694B2 (en) 2004-04-01 2015-08-11 Fireeye, Inc. Electronic message analysis for malware detection
US8528086B1 (en) 2004-04-01 2013-09-03 Fireeye, Inc. System and method of detecting computer worms
US8898788B1 (en) 2004-04-01 2014-11-25 Fireeye, Inc. Systems and methods for malware attack prevention
US8881282B1 (en) 2004-04-01 2014-11-04 Fireeye, Inc. Systems and methods for malware attack detection and identification
US7587537B1 (en) 2007-11-30 2009-09-08 Altera Corporation Serializer-deserializer circuits formed from input-output circuit registers
US8793787B2 (en) 2004-04-01 2014-07-29 Fireeye, Inc. Detecting malicious network content using virtual environment components
US8549638B2 (en) 2004-06-14 2013-10-01 Fireeye, Inc. System and method of containing computer worms
US8171553B2 (en) 2004-04-01 2012-05-01 Fireeye, Inc. Heuristic based capture with replay to virtual machine
US8566946B1 (en) 2006-04-20 2013-10-22 Fireeye, Inc. Malware containment on connection
US8584239B2 (en) 2004-04-01 2013-11-12 Fireeye, Inc. Virtual machine with dynamic data flow analysis
US8850571B2 (en) 2008-11-03 2014-09-30 Fireeye, Inc. Systems and methods for detecting malicious network content
US8997219B2 (en) 2008-11-03 2015-03-31 Fireeye, Inc. Systems and methods for detecting malicious PDF network content
US8832829B2 (en) 2009-09-30 2014-09-09 Fireeye, Inc. Network-based binary file extraction and analysis for malware detection
US9721101B2 (en) * 2013-06-24 2017-08-01 Red Hat, Inc. System wide root of trust chaining via signed applications
US8996851B2 (en) * 2010-08-10 2015-03-31 Sandisk Il Ltd. Host device and method for securely booting the host device with operating system code loaded from a storage device
DE102010048809A1 (en) 2010-10-20 2012-04-26 Hüttinger Elektronik Gmbh + Co. Kg Power supply system for a plasma application and / or an induction heating application
DE102010048810A1 (en) 2010-10-20 2012-04-26 Hüttinger Elektronik Gmbh + Co. Kg System for operating multiple plasma and / or induction heating processes
US8560888B1 (en) * 2011-02-11 2013-10-15 Bank Of America Corporation Method and apparatus for rebuilding an ATM computer image automatically
US8572742B1 (en) * 2011-03-16 2013-10-29 Symantec Corporation Detecting and repairing master boot record infections
US8782389B2 (en) 2011-07-19 2014-07-15 Sandisk Technologies Inc. Storage device and method for updating a shadow master boot record
US10572665B2 (en) 2012-12-28 2020-02-25 Fireeye, Inc. System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events
US9176843B1 (en) 2013-02-23 2015-11-03 Fireeye, Inc. Framework for efficient security coverage of mobile software applications
US9195829B1 (en) 2013-02-23 2015-11-24 Fireeye, Inc. User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications
US8990944B1 (en) 2013-02-23 2015-03-24 Fireeye, Inc. Systems and methods for automatically detecting backdoors
US9367681B1 (en) 2013-02-23 2016-06-14 Fireeye, Inc. Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application
US9009823B1 (en) 2013-02-23 2015-04-14 Fireeye, Inc. Framework for efficient security coverage of mobile software applications installed on mobile devices
US9626509B1 (en) 2013-03-13 2017-04-18 Fireeye, Inc. Malicious content analysis with multi-version application support within single operating environment
US9104867B1 (en) 2013-03-13 2015-08-11 Fireeye, Inc. Malicious content analysis using simulated user interaction without user involvement
US9355247B1 (en) 2013-03-13 2016-05-31 Fireeye, Inc. File extraction from memory dump for malicious content analysis
US9311479B1 (en) 2013-03-14 2016-04-12 Fireeye, Inc. Correlation and consolidation of analytic data for holistic view of a malware attack
US9430646B1 (en) 2013-03-14 2016-08-30 Fireeye, Inc. Distributed systems and methods for automatically detecting unknown bots and botnets
US9413781B2 (en) 2013-03-15 2016-08-09 Fireeye, Inc. System and method employing structured intelligence to verify and contain threats at endpoints
US10713358B2 (en) 2013-03-15 2020-07-14 Fireeye, Inc. System and method to extract and utilize disassembly features to classify software intent
US9251343B1 (en) * 2013-03-15 2016-02-02 Fireeye, Inc. Detecting bootkits resident on compromised computers
US9495180B2 (en) 2013-05-10 2016-11-15 Fireeye, Inc. Optimized resource allocation for virtual machines within a malware content detection system
US9635039B1 (en) 2013-05-13 2017-04-25 Fireeye, Inc. Classifying sets of malicious indicators for detecting command and control communications associated with malware
US10133863B2 (en) 2013-06-24 2018-11-20 Fireeye, Inc. Zero-day discovery system
US9300686B2 (en) 2013-06-28 2016-03-29 Fireeye, Inc. System and method for detecting malicious links in electronic messages
US9736179B2 (en) 2013-09-30 2017-08-15 Fireeye, Inc. System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection
US9294501B2 (en) 2013-09-30 2016-03-22 Fireeye, Inc. Fuzzy hash of behavioral results
US9690936B1 (en) 2013-09-30 2017-06-27 Fireeye, Inc. Multistage system and method for analyzing obfuscated content for malware
US10515214B1 (en) 2013-09-30 2019-12-24 Fireeye, Inc. System and method for classifying malware within content created during analysis of a specimen
US9628507B2 (en) 2013-09-30 2017-04-18 Fireeye, Inc. Advanced persistent threat (APT) detection center
US9171160B2 (en) 2013-09-30 2015-10-27 Fireeye, Inc. Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
US9921978B1 (en) 2013-11-08 2018-03-20 Fireeye, Inc. System and method for enhanced security of storage devices
US9747446B1 (en) 2013-12-26 2017-08-29 Fireeye, Inc. System and method for run-time object classification
US9756074B2 (en) 2013-12-26 2017-09-05 Fireeye, Inc. System and method for IPS and VM-based detection of suspicious objects
US9740857B2 (en) 2014-01-16 2017-08-22 Fireeye, Inc. Threat-aware microvisor
US9262635B2 (en) 2014-02-05 2016-02-16 Fireeye, Inc. Detection efficacy of virtual machine-based analysis with application specific events
US9241010B1 (en) 2014-03-20 2016-01-19 Fireeye, Inc. System and method for network behavior detection
US10242185B1 (en) 2014-03-21 2019-03-26 Fireeye, Inc. Dynamic guest image creation and rollback
US9591015B1 (en) 2014-03-28 2017-03-07 Fireeye, Inc. System and method for offloading packet processing and static analysis operations
US9223972B1 (en) 2014-03-31 2015-12-29 Fireeye, Inc. Dynamically remote tuning of a malware content detection system
US9432389B1 (en) 2014-03-31 2016-08-30 Fireeye, Inc. System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object
US9594912B1 (en) 2014-06-06 2017-03-14 Fireeye, Inc. Return-oriented programming detection
US9973531B1 (en) 2014-06-06 2018-05-15 Fireeye, Inc. Shellcode detection
US9438623B1 (en) 2014-06-06 2016-09-06 Fireeye, Inc. Computer exploit detection using heap spray pattern matching
US10084813B2 (en) 2014-06-24 2018-09-25 Fireeye, Inc. Intrusion prevention and remedy system
US10805340B1 (en) 2014-06-26 2020-10-13 Fireeye, Inc. Infection vector and malware tracking with an interactive user display
US9398028B1 (en) 2014-06-26 2016-07-19 Fireeye, Inc. System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers
US10002252B2 (en) 2014-07-01 2018-06-19 Fireeye, Inc. Verification of trusted threat-aware microvisor
US9363280B1 (en) 2014-08-22 2016-06-07 Fireeye, Inc. System and method of detecting delivery of malware using cross-customer data
CN104573487B (en) * 2014-09-10 2017-08-01 中电科技(北京)有限公司 A kind of terminal real-time positioning system and method based on UEFI
US10671726B1 (en) 2014-09-22 2020-06-02 Fireeye Inc. System and method for malware analysis using thread-level event monitoring
US10027689B1 (en) 2014-09-29 2018-07-17 Fireeye, Inc. Interactive infection visualization for improved exploit detection and signature generation for malware and malware families
US9773112B1 (en) 2014-09-29 2017-09-26 Fireeye, Inc. Exploit detection of malware and malware families
US9690933B1 (en) 2014-12-22 2017-06-27 Fireeye, Inc. Framework for classifying an object as malicious with machine learning for deploying updated predictive models
US10075455B2 (en) 2014-12-26 2018-09-11 Fireeye, Inc. Zero-day rotating guest image profile
US9934376B1 (en) 2014-12-29 2018-04-03 Fireeye, Inc. Malware detection appliance architecture
US9838417B1 (en) 2014-12-30 2017-12-05 Fireeye, Inc. Intelligent context aware user interaction for malware detection
US9690606B1 (en) 2015-03-25 2017-06-27 Fireeye, Inc. Selective system call monitoring
US10148693B2 (en) 2015-03-25 2018-12-04 Fireeye, Inc. Exploit detection system
US9438613B1 (en) 2015-03-30 2016-09-06 Fireeye, Inc. Dynamic content activation for automated analysis of embedded objects
US10417031B2 (en) 2015-03-31 2019-09-17 Fireeye, Inc. Selective virtualization for security threat detection
US9483644B1 (en) 2015-03-31 2016-11-01 Fireeye, Inc. Methods for detecting file altering malware in VM based analysis
US10474813B1 (en) 2015-03-31 2019-11-12 Fireeye, Inc. Code injection technique for remediation at an endpoint of a network
US9654485B1 (en) 2015-04-13 2017-05-16 Fireeye, Inc. Analytics-based security monitoring system and method
US9594904B1 (en) 2015-04-23 2017-03-14 Fireeye, Inc. Detecting malware based on reflection
US10454950B1 (en) 2015-06-30 2019-10-22 Fireeye, Inc. Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks
US10726127B1 (en) 2015-06-30 2020-07-28 Fireeye, Inc. System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer
US10642753B1 (en) 2015-06-30 2020-05-05 Fireeye, Inc. System and method for protecting a software component running in virtual machine using a virtualization layer
US11113086B1 (en) 2015-06-30 2021-09-07 Fireeye, Inc. Virtual system and method for securing external network connectivity
US10715542B1 (en) 2015-08-14 2020-07-14 Fireeye, Inc. Mobile application risk analysis
US10176321B2 (en) 2015-09-22 2019-01-08 Fireeye, Inc. Leveraging behavior-based rules for malware family classification
US10033747B1 (en) 2015-09-29 2018-07-24 Fireeye, Inc. System and method for detecting interpreter-based exploit attacks
US10601865B1 (en) 2015-09-30 2020-03-24 Fireeye, Inc. Detection of credential spearphishing attacks using email analysis
US9825976B1 (en) 2015-09-30 2017-11-21 Fireeye, Inc. Detection and classification of exploit kits
US9825989B1 (en) 2015-09-30 2017-11-21 Fireeye, Inc. Cyber attack early warning system
US10210329B1 (en) 2015-09-30 2019-02-19 Fireeye, Inc. Method to detect application execution hijacking using memory protection
US10817606B1 (en) 2015-09-30 2020-10-27 Fireeye, Inc. Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic
US10706149B1 (en) 2015-09-30 2020-07-07 Fireeye, Inc. Detecting delayed activation malware using a primary controller and plural time controllers
US10284575B2 (en) 2015-11-10 2019-05-07 Fireeye, Inc. Launcher for setting analysis environment variations for malware detection
US10846117B1 (en) 2015-12-10 2020-11-24 Fireeye, Inc. Technique for establishing secure communication between host and guest processes of a virtualization architecture
US10447728B1 (en) 2015-12-10 2019-10-15 Fireeye, Inc. Technique for protecting guest processes using a layered virtualization architecture
US10108446B1 (en) 2015-12-11 2018-10-23 Fireeye, Inc. Late load technique for deploying a virtualization layer underneath a running operating system
US10050998B1 (en) 2015-12-30 2018-08-14 Fireeye, Inc. Malicious message analysis system
US10621338B1 (en) 2015-12-30 2020-04-14 Fireeye, Inc. Method to detect forgery and exploits using last branch recording registers
US10565378B1 (en) 2015-12-30 2020-02-18 Fireeye, Inc. Exploit of privilege detection framework
US10133866B1 (en) 2015-12-30 2018-11-20 Fireeye, Inc. System and method for triggering analysis of an object for malware in response to modification of that object
US9824216B1 (en) 2015-12-31 2017-11-21 Fireeye, Inc. Susceptible environment detection system
US11552986B1 (en) 2015-12-31 2023-01-10 Fireeye Security Holdings Us Llc Cyber-security framework for application of virtual features
US10581874B1 (en) 2015-12-31 2020-03-03 Fireeye, Inc. Malware detection system with contextual analysis
US20170230186A1 (en) * 2016-02-05 2017-08-10 Samsung Electronics Co., Ltd. File management apparatus and method for verifying integrity
US10785255B1 (en) 2016-03-25 2020-09-22 Fireeye, Inc. Cluster configuration within a scalable malware detection system
US10671721B1 (en) 2016-03-25 2020-06-02 Fireeye, Inc. Timeout management services
US10476906B1 (en) 2016-03-25 2019-11-12 Fireeye, Inc. System and method for managing formation and modification of a cluster within a malware detection system
US10601863B1 (en) 2016-03-25 2020-03-24 Fireeye, Inc. System and method for managing sensor enrollment
US10826933B1 (en) 2016-03-31 2020-11-03 Fireeye, Inc. Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints
US10893059B1 (en) 2016-03-31 2021-01-12 Fireeye, Inc. Verification and enhancement using detection systems located at the network periphery and endpoint devices
US10169585B1 (en) 2016-06-22 2019-01-01 Fireeye, Inc. System and methods for advanced malware detection through placement of transition events
US10462173B1 (en) 2016-06-30 2019-10-29 Fireeye, Inc. Malware detection verification and enhancement by coordinating endpoint and malware detection systems
US10592678B1 (en) 2016-09-09 2020-03-17 Fireeye, Inc. Secure communications between peers using a verified virtual trusted platform module
US10491627B1 (en) 2016-09-29 2019-11-26 Fireeye, Inc. Advanced malware detection using similarity analysis
US10795991B1 (en) 2016-11-08 2020-10-06 Fireeye, Inc. Enterprise search
US10587647B1 (en) 2016-11-22 2020-03-10 Fireeye, Inc. Technique for malware detection capability comparison of network security devices
US10552610B1 (en) 2016-12-22 2020-02-04 Fireeye, Inc. Adaptive virtual machine snapshot update framework for malware behavioral analysis
US10581879B1 (en) 2016-12-22 2020-03-03 Fireeye, Inc. Enhanced malware detection for generated objects
US10523609B1 (en) 2016-12-27 2019-12-31 Fireeye, Inc. Multi-vector malware detection and analysis
US10904286B1 (en) 2017-03-24 2021-01-26 Fireeye, Inc. Detection of phishing attacks using similarity analysis
US10798112B2 (en) 2017-03-30 2020-10-06 Fireeye, Inc. Attribute-controlled malware detection
US10902119B1 (en) 2017-03-30 2021-01-26 Fireeye, Inc. Data extraction system for malware analysis
US10791138B1 (en) 2017-03-30 2020-09-29 Fireeye, Inc. Subscription-based malware detection
US10554507B1 (en) 2017-03-30 2020-02-04 Fireeye, Inc. Multi-level control for enhanced resource and object evaluation management of malware detection system
WO2018190846A1 (en) 2017-04-13 2018-10-18 Hewlett-Packard Development Company, L.P. Boot data validity
US10601848B1 (en) 2017-06-29 2020-03-24 Fireeye, Inc. Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
US10503904B1 (en) 2017-06-29 2019-12-10 Fireeye, Inc. Ransomware detection and mitigation
US10855700B1 (en) 2017-06-29 2020-12-01 Fireeye, Inc. Post-intrusion detection of cyber-attacks during lateral movement within networks
US10893068B1 (en) 2017-06-30 2021-01-12 Fireeye, Inc. Ransomware file modification prevention technique
US10747872B1 (en) 2017-09-27 2020-08-18 Fireeye, Inc. System and method for preventing malware evasion
US10805346B2 (en) 2017-10-01 2020-10-13 Fireeye, Inc. Phishing attack detection
US11108809B2 (en) 2017-10-27 2021-08-31 Fireeye, Inc. System and method for analyzing binary code for malware classification using artificial neural network techniques
US11271955B2 (en) 2017-12-28 2022-03-08 Fireeye Security Holdings Us Llc Platform and method for retroactive reclassification employing a cybersecurity-based global data store
US11240275B1 (en) 2017-12-28 2022-02-01 Fireeye Security Holdings Us Llc Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture
US11005860B1 (en) 2017-12-28 2021-05-11 Fireeye, Inc. Method and system for efficient cybersecurity analysis of endpoint events
US10826931B1 (en) 2018-03-29 2020-11-03 Fireeye, Inc. System and method for predicting and mitigating cybersecurity system misconfigurations
US10956477B1 (en) 2018-03-30 2021-03-23 Fireeye, Inc. System and method for detecting malicious scripts through natural language processing modeling
US11003773B1 (en) 2018-03-30 2021-05-11 Fireeye, Inc. System and method for automatically generating malware detection rule recommendations
US11558401B1 (en) 2018-03-30 2023-01-17 Fireeye Security Holdings Us Llc Multi-vector malware detection data sharing system for improved detection
US11075930B1 (en) 2018-06-27 2021-07-27 Fireeye, Inc. System and method for detecting repetitive cybersecurity attacks constituting an email campaign
US11314859B1 (en) 2018-06-27 2022-04-26 FireEye Security Holdings, Inc. Cyber-security system and method for detecting escalation of privileges within an access token
US11228491B1 (en) 2018-06-28 2022-01-18 Fireeye Security Holdings Us Llc System and method for distributed cluster configuration monitoring and management
US11316900B1 (en) 2018-06-29 2022-04-26 FireEye Security Holdings Inc. System and method for automatically prioritizing rules for cyber-threat detection and mitigation
US11182473B1 (en) 2018-09-13 2021-11-23 Fireeye Security Holdings Us Llc System and method for mitigating cyberattacks against processor operability by a guest process
US11763004B1 (en) 2018-09-27 2023-09-19 Fireeye Security Holdings Us Llc System and method for bootkit detection
US12074887B1 (en) 2018-12-21 2024-08-27 Musarubra Us Llc System and method for selectively processing content after identification and removal of malicious content
US11368475B1 (en) 2018-12-21 2022-06-21 Fireeye Security Holdings Us Llc System and method for scanning remote services to locate stored objects with malware
US11258806B1 (en) 2019-06-24 2022-02-22 Mandiant, Inc. System and method for automatically associating cybersecurity intelligence to cyberthreat actors
US11556640B1 (en) 2019-06-27 2023-01-17 Mandiant, Inc. Systems and methods for automated cybersecurity analysis of extracted binary string sets
US11392700B1 (en) 2019-06-28 2022-07-19 Fireeye Security Holdings Us Llc System and method for supporting cross-platform data verification
US11886585B1 (en) 2019-09-27 2024-01-30 Musarubra Us Llc System and method for identifying and mitigating cyberattacks through malicious position-independent code execution
US11637862B1 (en) 2019-09-30 2023-04-25 Mandiant, Inc. System and method for surfacing cyber-security threats with a self-learning recommendation engine
CN111538986B (en) * 2020-04-15 2023-05-09 南京东科优信网络安全技术研究院有限公司 Device and method for dynamically measuring computer trusted state based on call stack track

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5732268A (en) * 1996-02-26 1998-03-24 Award Software International Extended BIOS adapted to establish remote communication for diagnostics and repair
US6948094B2 (en) 2001-09-28 2005-09-20 Intel Corporation Method of correcting a machine check error
GB2382419B (en) * 2001-11-22 2005-12-14 Hewlett Packard Co Apparatus and method for creating a trusted environment
CN1458587A (en) * 2002-05-15 2003-11-26 纬创资通股份有限公司 Method and system for turning-on user's end computr system through network
CN100472460C (en) * 2002-12-11 2009-03-25 联想(北京)有限公司 Detection and display method and device for computer self-test information
US7231512B2 (en) * 2002-12-18 2007-06-12 Intel Corporation Technique for reconstituting a pre-boot firmware environment after launch of an operating system
US7395420B2 (en) * 2003-02-12 2008-07-01 Intel Corporation Using protected/hidden region of a magnetic media under firmware control
US7136994B2 (en) * 2003-05-13 2006-11-14 Intel Corporation Recovery images in an operational firmware environment
CN100476745C (en) * 2003-12-24 2009-04-08 英业达股份有限公司 Method for implementing automatic fault-tolerance of image file in Linux operating system booting process
US8001348B2 (en) * 2003-12-24 2011-08-16 Intel Corporation Method to qualify access to a block storage device via augmentation of the device's controller and firmware flow
US7207039B2 (en) * 2003-12-24 2007-04-17 Intel Corporation Secure booting and provisioning
US7725703B2 (en) * 2005-01-07 2010-05-25 Microsoft Corporation Systems and methods for securely booting a computer with a trusted processing module
US20060230165A1 (en) * 2005-03-25 2006-10-12 Zimmer Vincent J Method and apparatus for provisioning network infrastructure
US7752428B2 (en) * 2005-03-31 2010-07-06 Intel Corporation System and method for trusted early boot flow

Cited By (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101882189A (en) * 2010-06-30 2010-11-10 华南理工大学 Embedded-type system for ensuring completeness of program and realization method thereof
CN103294502A (en) * 2012-03-05 2013-09-11 联想(北京)有限公司 Method for obtaining loading path of operating system, and electronic equipment
CN103294498A (en) * 2012-03-05 2013-09-11 联想(北京)有限公司 Information processing method and electronic equipment
CN103294499A (en) * 2012-03-05 2013-09-11 联想(北京)有限公司 Information processing method and electronic equipment
CN103294502B (en) * 2012-03-05 2016-10-05 联想(北京)有限公司 A kind of method obtaining operating system load path and electronic equipment
CN102819705A (en) * 2012-07-26 2012-12-12 郑州信大捷安信息技术股份有限公司 System and method for realizing system file integrity verification in master boot sector
CN102819705B (en) * 2012-07-26 2014-11-19 郑州信大捷安信息技术股份有限公司 System and method for realizing system file integrity verification in master boot sector
CN104969233A (en) * 2012-12-31 2015-10-07 阿尔卡特朗讯公司 Alarm condition processing in network element
CN103093141A (en) * 2013-01-17 2013-05-08 北京华大信安科技有限公司 Download method, guidance method and device of safe main control chip Coolcloud system (COS)
CN103823732A (en) * 2014-02-27 2014-05-28 山东超越数控电子有限公司 Method for monitoring file integrity under LINUX operation system
CN104573500A (en) * 2014-09-10 2015-04-29 中电科技(北京)有限公司 UEFI (Unified Extensible Firmware Interface)-based software real-time protection system and UEFI-based software real-time protection method
CN104573491A (en) * 2014-09-10 2015-04-29 中电科技(北京)有限公司 UEFI (Unified Extensible Firmware Interface)-based terminal management system and UEFI-based terminal management method
CN104573501A (en) * 2014-09-10 2015-04-29 中电科技(北京)有限公司 Safety software protection interface device and method on basis of UEFI (Unified Extensible Firmware Interface)
CN104573499A (en) * 2014-09-10 2015-04-29 中电科技(北京)有限公司 Executable program file protection system and method on basis of UEFI (Unified Extensible Firmware Interface)
CN104573417A (en) * 2014-09-10 2015-04-29 中电科技(北京)有限公司 UEFI (Unified Extensible Firmware Interface)-based software whole-process protection system and UEFI-based software whole-process protection method
CN104573499B (en) * 2014-09-10 2019-01-15 中电科技(北京)有限公司 A kind of executable program file protection system and method based on UEFI
CN104573491B (en) * 2014-09-10 2017-08-01 中电科技(北京)有限公司 A kind of terminal management system and method based on UEFI
CN104881345A (en) * 2015-05-25 2015-09-02 上海兆芯集成电路有限公司 Central processing unit and computer power-on self-test method
CN104881345B (en) * 2015-05-25 2018-10-23 上海兆芯集成电路有限公司 The method of central processing unit and computer booting self-test
CN105354497A (en) * 2015-10-26 2016-02-24 浪潮电子信息产业股份有限公司 Computer protection apparatus and method
CN107066345A (en) * 2015-12-22 2017-08-18 中电科技(北京)有限公司 A kind of data recovery and backup method based on hard disk gap
CN105740729A (en) * 2016-01-29 2016-07-06 浪潮电子信息产业股份有限公司 Method for checking credibility of system service program
CN105893833B (en) * 2016-03-31 2019-07-05 山东超越数控电子有限公司 A kind of hardware interface for firmware security management
CN105893833A (en) * 2016-03-31 2016-08-24 山东超越数控电子有限公司 Hardware interface used for firmware safety management
CN107657170B (en) * 2016-07-25 2020-12-01 北京计算机技术及应用研究所 Trusted loading starting control system and method supporting intelligent repair
CN107657170A (en) * 2016-07-25 2018-02-02 北京计算机技术及应用研究所 The Trusted Loading for supporting intelligently to repair starts control system and method
CN106293620B (en) * 2016-08-09 2019-05-14 浪潮电子信息产业股份有限公司 Method for detecting parameters in Flash Rom by intel platform
CN106293620A (en) * 2016-08-09 2017-01-04 浪潮电子信息产业股份有限公司 Method for detecting parameters in Flash Rom by intel platform
CN107015878A (en) * 2017-03-24 2017-08-04 联想(北京)有限公司 For system for computer restorative procedure and system
CN107015878B (en) * 2017-03-24 2020-05-26 联想(北京)有限公司 System repair method and system for computer
CN107301348A (en) * 2017-05-19 2017-10-27 深圳市同泰怡信息技术有限公司 One kind detection rational algorithm of MBR contents
CN107301348B (en) * 2017-05-19 2020-11-13 深圳市同泰怡信息技术有限公司 Algorithm for detecting rationality of MBR (Membrane biological reactor) content
CN107392032A (en) * 2017-08-07 2017-11-24 浪潮(北京)电子信息产业有限公司 A kind of method and system credible checking BIOS
CN110543769A (en) * 2019-08-29 2019-12-06 武汉大学 Trusted starting method based on encrypted TF card
CN110543769B (en) * 2019-08-29 2023-09-15 武汉大学 Trusted starting method based on encrypted TF card
CN111124515A (en) * 2019-12-20 2020-05-08 苏州浪潮智能科技有限公司 Cloud-based minimized BIOS (basic input output System) implementation method and system
CN110929268A (en) * 2020-02-03 2020-03-27 中软信息系统工程有限公司 Safe operation method, device and storage medium
CN114996226A (en) * 2021-11-05 2022-09-02 荣耀终端有限公司 Icon detection method, electronic device, readable storage medium, and program product

Also Published As

Publication number Publication date
US8468342B2 (en) 2013-06-18
US20090300415A1 (en) 2009-12-03
CN100428157C (en) 2008-10-22
WO2007045133A1 (en) 2007-04-26

Similar Documents

Publication Publication Date Title
CN100428157C (en) A computer system and method to check completely
US9886580B2 (en) Method for optimizing boot time of an information handling system
US9520998B2 (en) System and method for recovery key management
CN104850762B (en) Prevent the undesirable method of the movement of computer, computer program and computer
US20070174689A1 (en) Computer platform embedded operating system backup switching handling method and system
US10909247B2 (en) Computing device having two trusted platform modules
US20070174704A1 (en) Computer program automatic recovery activation control method and system
US20080288767A1 (en) Computer system
US10922071B2 (en) Centralized off-board flash memory for server devices
WO2004017195A1 (en) Using system bios to update embedded controller firmware
US7434042B2 (en) Apparatus, method and recording medium for starting up data processing system
WO2013009619A9 (en) System and method for validating components during a booting process
CN107480011A (en) BIOS switching devices
TW202030602A (en) The method and system of bios recovery and update
US20080184023A1 (en) Computer platform boot block program corruption recovery handling method and system
US20020162052A1 (en) Method for entering system firmware recovery mode using software-detectable buttons
CN109086085B (en) Operating system start management method and device
US20090210948A1 (en) Remote computer rebooting tool
CN101807163A (en) Method and system for saving and restoring basic input/output system data
CN116700801A (en) Configuration information management method, device and server
US10853085B2 (en) Adjustable performance boot system
CN102043633A (en) Computing equipment and starting method thereof
CN109992933A (en) The firmware of PIN-based code authorization starts method
CN117112520B (en) Log processing method and electronic equipment
US7653808B2 (en) Providing selectable processor abstraction layer components within one BIOS program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20081022

Termination date: 20201019

CF01 Termination of patent right due to non-payment of annual fee